Linux kernel Bridge Multicast NULL Pointer Dereference

This bug was reported to the netdev mailing list by Frank Arnold. From the given kernel OOPS we can read that there was a NULL pointer dereference while attempting to get the bridge’s MDB entry using br_mdb_ip_get(). As Eugene Teo pointed out this could be triggered remotely with an IGMP packet with no multicast table allocated. If this was the case, the MDB pointer will be pointing to NULL and the br_mdb_ip_get() (located at net/bridge/br_multicast.c) will execute the code below:

Clearly, the attempt to access ‘&mdb->mhash[hash]’ as well as ‘hlist[mdb->ver]’ will result in NULL pointer dereference since ‘mdb’ is set to NULL if there is no multicast table allocated. To fix this, the br_mdb_ip_get() was completely replaced by the following code:

Which explicitly checks ‘mdb’ against NULL before invoking __br_mdb_ip_get() and functions br_mdb_ip4_get() and br_mdb_ip6_get() which are responsible for the IPv4 and IPv6 packets respectively were updated to use this wrapper routine instead of __br_mdb_ip_get() directly. At last, br_mdb_get() was changed to remove the following check: